Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/6328c56570baea725a342ce460aa16ddf04df247 (Reland "[turbofan] add value input to DeadValue").

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/72be2d2138209eed2959c10cff1f90b9d7b4bc67

commit 72be2d2138209eed2959c10cff1f90b9d7b4bc67
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Wed Jan 17 15:41:13 2018

[turbofan] put TypeGuard into the effect chain and maintain it until EffectControlLinearizer

We need to maintain TypeGuard nodes until the EffectControlLinearizer, because they can protect partial operations from floating above a check. In the linked bug, it was a DeadValue node that got scheduled too early.

In LoadElimination and EscapeAnalysis, the inserted TypeGuard nodes might depend on map checks on the effect chain. Thus TypeGuard has to be an effect chain node too.

Bug:  chromium:800929 
Change-Id: Icdcff96a2273d96b7f8cd6f85511ad62c1cb129a
Reviewed-on: https://chromium-review.googlesource.com/860405
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50661}
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/bytecode-graph-builder.cc
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/common-operator.cc
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/escape-analysis-reducer.cc
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/escape-analysis-reducer.h
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/graph-trimmer.cc
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/js-builtin-reducer.cc
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/js-native-context-specialization.cc
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/js-typed-lowering.cc
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/loop-variable-optimizer.cc
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/loop-variable-optimizer.h
[modify] https://crrev.com/72be2d2138209eed2959c10cff1f90b9d7b4bc67/src/compiler/simplified-lowering.cc

ClusterFuzz has detected this issue as fixed in range 50660:50661.

Detailed report: https://clusterfuzz.com/testcase?key=6559700396277760

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Breakpoint
Crash Address: 0x5e732800
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=50359:50360
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=50660:50661

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6559700396277760

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6559700396277760 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.